Sr. GRC Analyst

About evermore

evermore is a technology company that administers Smart Benefits to connect people to products and services they need, when they need them, so they can live healthier lives. We partner with payers and retailers to deliver expansive benefits for things like healthy foods, OTC medications, or transportation. evermore is reinventing benefits administration so that everyone benefits with more value for each and better outcomes for all. evermore is a Series B stage company, backed by leading investors including General Catalyst, Define Ventures, Lightspeed Venture Partners, Pinegrove Capital Partners, and Qiming Venture Partners.  

The Job at a Glance 

Working within the security function, the GRC Analyst will be responsible for managing the company’s regulatory and self-driven compliance targets, primarily utilizing the Vanta platform. This role requires expertise across a broad scope of frameworks, including PCI, HITRUST, HITECH, HIPAA (Security Rule), SOC 2 Type 2, and FEDRAMP Moderate (NIST 800-53). A core function is to handle evidence gathering for all audits, present assessment results, and conduct necessary gap/fit analyses, especially for advanced controls like those required for FedRAMP Moderate. The analyst will also coordinate and support high-volume commercial and state audits. 

What You Will Do 

Working within an organization created at the intersection of health care, retail and financial technology, no two days will look the same.  Typical responsibilities of the role include:  

• Manage regulatory and self-driven infosec compliance targets, including conducting work within the Vanta platform. 
• Gather necessary evidence for all security audits and present subsequent assessment results. 
• Review and determine the correct security training for all employees  
• Serve as the primary resource for internal gap/fit analysis on new controls, such as those required to meet the definition of FedRAMP Moderate. 
• Coordinate commercial audits/assessments and collaborate closely with the legal and compliance function on privacy compliance matters.   
• Support compliance across established frameworks including PCI, HITRUST, HITECH, HIPAA, NIST and SOC 2 Type 2. 
• Perform and manage security risk reviews for third-party vendors. 
• Lead and support Disaster Recovery (DR) and Business Continuity Planning (BCP) activities, including planning, testing, and documentation to ensure organizational resilience. 
• Participate in risk management activities, including maintaining and updating risk registers, advising stakeholders on mitigation strategies, and monitoring risk metrics across the organization. 

About You 

While every candidate brings a unique resume and prospective, an ideal candidate will include:  

• Proven experience managing or executing compliance programs covering frameworks such as PCI, HITRUST, HIPAA, and SOC 2 Type 2. 
• Demonstrated ability to perform internal gap/fit analysis related to complex security control standards 
• Experience with audit tooling environments like Vanta, including the collection and management of audit evidence. 
• Background in coordinating external commercial and state-level compliance assessments. 
• Familiarity with HITECH requirements, HIPAA Security Rule and FedRAMP. 
• Strong organizational skills necessary to manage high-volume, 'bursty' audit assessment workloads. 
• Ability to work proactively and understand what is needed to accomplish compliance objectives. 
• Bachelor’s degree or similar experience strongly preferred. 

Other Requirements

• Travel may be required from time to time as part of the role, for company events and business needs
  
• evermore is a remote-first, distributed workforce. Candidates should be comfortable with, and equipped to work within, a distributed remote team, including having reliable internet access and basic home office equipment. evermore will provide a work laptop, and mouse/keyboard upon request   
• Legal authorization to work in the US is required. At this time, evermore will not consider candidates who need sponsorship, now or in the future 
• All offers for employment are contingent upon successful completion of a background check 

What We Offer 

• Competitive base salary ranging from $166,050 to $219,625 discretionary bonus, and equity; depending on experience/qualifications
  
• Benefits  
  • Medical, Dental, and Vision insurance with 90% paid employer premium contributions for all tiers 
  • 100% Employer Paid Short-Term & Long-Term Disability 
  • 100% Employer Paid Basic Life Insurance Policy  
  • Employee Assistance Program (EAP) 
  • 401(k) Program
    
• Discretionary PTO
• Paid holidays
• Parental Leave
• Flexible work schedule within core hours
• Work anywhere in the USA as we are a fully distributed team from coast to coast 

Soda Health Inc. dba evermore is an equal opportunity employer, Minority/Female/Disability/Veteran/LGBTQIA+ – proudly embracing diversity in all its manifestations. Applicants requiring reasonable accommodation for the application and/or interview process should notify a representative of the People Operations Team via Careers@sodahealth.com. 

evermore participates in E-Verify, the federal program for electronic verification of employment eligibility. 

To all recruitment agencies: evermore does not accept agency resumes, please do not forward them to any Soda Health employees.